How to backup and restore file, services, and registry security permissions

Forum for anything else which doesn't fit in the above forums. Site feedback, random talk, whatever, are welcome.
Post Reply
Zephyr
Posts: 171
Joined: Sun Nov 22, 2015 4:53 pm
Location: London

How to backup and restore file, services, and registry security permissions

Post by Zephyr » Sat Feb 27, 2021 10:42 am

When programs do not load because of access denied errors the only troubleshooting option is to use the Microsoft Process Monitor and examine the display in real time of of the program's access of files and registry entries. A program may make over a million searches in the file system and registry which makes this approach time consuming and the outcome is uncertain. The solution to this problem I am proposing is to back up file, registry and service security permissions from a fresh install of Windows and use this to restore security permissions to their default state. It is advisable to backup security permissions in the SDDL format, so that the results can be used in any PC with a single user with administrative rights.

FILES

The program icacls.exe is included with Server 2003, Vista and above. It can be used to save and restore security permissions of files and folders in the SDDL format as in this example:

Fonts
D:AI(A;ID;0x1200a9;;;BU)(A;OICIIOID;GXGR;;;BU)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)

This command will save the ACLs for all files and folders under %SystemRoot% (ie. Windows folder):

Code: Select all

icacls %SystemRoot%\* /save "%UserProfile%\My Documents\Windows ACLs.txt" /t /c
This command will restore the ACLS for every file and subfolder under %SystemRoot% from the ACL file saved as "Windows ACLs.txt". On my fully updated XP SP3 installation the file was 963 Kb in size and ontained 5731 entries.

Code: Select all

icacls %SystemRoot%\ /restore "%UserProfile%\My Documents\Windows ACLs).txt" /c


Icacls may not be able to restore the ACL for a file or folder if it has been corrupted and access is denied. If that is the case then use use SubInACL from the Windows 2000 Server Resource Kit or the NT Server 4.0 Resource Kit. It can be downloaded from here. A suitable command to save all the ACLs for for all files and folders under %SystemRoot% (ie. Windows folder) is:

Code: Select all

subinacl /errorlog="%UserProfile%\My Documents\Errors.log" /output="%UserProfile%\My Documents\Windows ACLs.txt" /subdirectories %SystemRoot%\* /display=sddl
On my XP SP3 machine this produced a file 2304 KB in size with 10212 entries. To restore the ACLs to all files and subfolders under %SystemRoot% (ie. Windows folder) use this command:

Code: Select all

subinacl errorlog="%UserProfile%\My Documents\Errors.log /playfile "%UserProfile%\My Documents\Windows ACLs.txt"


When I tried this I received a summary that said 10212 Modified and 10212 Failed although the error log contained no entries, so this may mean that the operation failed.

SERVICES

The command sc sdshow [service name] will display the security descriptor for a service. I exported the services key from the registry to obtain a list of the services and used this command to obtain the security descriptors for all of the listed services including kernel drivers:

Code: Select all

for %f in ( Abiosdsk abp480n5 ACPI........) do sc sdshow %f
This gives an output like this:

sc sdset Abiosdsk D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

sc sdset abp480n5 D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

sc sdset ACPI D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

I have made a batch file to restore all the security descriptor of the services in Windows XP Home Edition which I include here as an attachment. If you have another version of Windows I advise you to use the instructions here to make your own batch file rather than use the one I have provided. If you do use Windows XP Home Edition use the batch file with caution and make a restore point first. One problem I found with this approach is that the sc command cannot override denial of access when a service has corrupted security permissions. That means that my batch file will not restore service security permissions but will indicate which service has corrupted security permissions like so:

AppMgmt
[SC] OpenService FAILED 5:

Access is denied.

Perhaps a more reliable way of restoring service security descriptors is to use the SubInACL utility which is not included with Windows. This command will save the security descriptors for all services:

Code: Select all

subinacl /errorlog="%UserProfile%\My Documents\Errors.log" /output="%UserProfile%\My Documents\Services_Permissions.txt" /service * /display=sddl
On my machine it produced results for the 81 services that require a process to be running (not kernel drivers) in this format:

+Service Alerter
/sddl=O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:
(AUFA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

To restore all the service security descripters use the /playfile feature to run SubInACL in batch mode thus:

Code: Select all

subinacl /errorlog="%UserProfile%\My Documents\Errors.log" /playfile "%UserProfile%\My Documents\Services_Permissions.txt"
REGISTRY

SubInACL can be used to save and restore registry permissions. To save all the security permissions for HKEY_CURRENT_USER use this command:

Code: Select all

subinacl /errorlog="%UserProfile%\My Documents\Errors.log"  /output="%UserProfile%\My Documents\HKCU_Permissions.txt" /subkeyreg HKEY_CURRENT_USER /display=sddl
On my machine this produced a file of size 839 KB with entries in the format of this example:

+KeyReg HKEY_CURRENT_USER\AppEvents\EventLabels\ActivatingDocument
/sddl=O:S-1-5-21-854245398-1708537768-1644491937-1004G:
S-1-5-21-854245398-1708537768-1644491937-513D:
(A;;KA;;;S-1-5-21-854245398-1708537768-1644491937-1004)
(A;OICIIO;GA;;;S-1-5-21-854245398-1708537768-1644491937-1004)(A;;KA;;;SY)(A;OICIIO;GA;;;SY)(A;;KA;;;BA)(A;OICIIO;GA;;;BA)(A;;KR;;;RC)(A;OICIIO;GR;;;RC)

To restore all the security permissions for HKEY_CURRENT_USER use the /playfile feature to run SubInACL in batch mode thus:

Code: Select all

subinacl /errorlog="%UserProfile%\My Documents\Errors.log" /playfile "%UserProfile%\My Documents\HKCU_Permissions.txt"
When I tried to restore HKCU like this I received the message:

Done: 1202, Modified 1201, Failed 1, Syntax errors 0.
Last Done : HKEY_CURRENT_USER\Volatile Environment
Last Failed: HKEY_CURRENT_USER\Console\D:\WINDOWS_system32_cmd.exe : 2 The system cannot find the file specified.

An alternative tool to use for this purpose is SetAcl which can be obtained here. Here is the command to backup the registry hive HKEY_CURRENT_USER with the components of security descriptors to include DACLs and Owners:

Code: Select all

SetAcl.exe -on "HKCU" -ot "reg" -lst "f:sddl;w:d,o;i:n;s:y" -actn list -rec yes -bckp  "%UserProfile%\My Documents\HKCU_Permissions[2].txt"
To restore all the security permissions for the registry hive HKEY_CURRENT_USER use the same command except the action (-actn) is restore:

Code: Select all

SetAcl.exe -on "HKCU" -ot "reg" -lst "f:sddl;w:d,o;i:n;s:y" -actn restore -rec yes -bckp  "%UserProfile%\My Documents\HKCU_Permissions[2].txt"
When I tried this I received the message "SetACL finished successfully." You can read a detailed account of how these SetAcl commands were assembled here
Attachments
Show_Services[XP_SP3].zip
This is for a fully updated installation of XP SP3 home Edition without the POSREADY 2009 addon.
(2.11 KiB) Downloaded 106 times
Restore_Services[XP_SP3].zip
This is for a fully updated installation of XP SP3 Home Edition without the POSREADY 2009 addon. Make a restore point before using.
(2.93 KiB) Downloaded 105 times
Last edited by Zephyr on Thu May 19, 2022 5:27 am, edited 7 times in total.
XP FOREVER!

Zephyr
Posts: 171
Joined: Sun Nov 22, 2015 4:53 pm
Location: London

Re: How to backup and restore file, services, and registry security permissions

Post by Zephyr » Sat Feb 27, 2021 10:43 am

Deleted
XP FOREVER!

User avatar
bphlpt
Posts: 1398
Joined: Sat Apr 19, 2008 1:11 am

Re: How to backup and restore file, services, and registry security permissions

Post by bphlpt » Sat Feb 27, 2021 9:52 pm

Thanks, @Zephyr! Very interesting, and probably applicable to more than XP.

Post Reply